Why Are IRS Retention Standards More Lax Than Standards for Taxpayers?

Posted by Jim Hoft on Saturday, June 21, 2014, 9:00 PM

Guest post by J. Hoft

As noted by Ed Morrissey at the website The Week the IRS reported to Congress late last Friday that a hard drive failure on Lois Lerner’s computer wiped out two years of her email data – The two years investigators were interested in. Not only that, but the IRS then claimed it recycled its backup tapes so that it only had six months of server backups available.

There is no way that an individual in a lead position at the IRS could lose emails by their computer crashing. For the current IRS Commissioner to say so is either a lie or he is extremely incompetent on too many levels to count.

Here’s a list of the more obvious questions leading to this fabrication –

Why the delay in telling Congress of the lost emails? As Morrissey notes “First, despite having demanded these records from the IRS for over a year, the agency waited until now (and in a Friday afternoon document dump, no less) to inform Congress of the supposed loss of emails. That makes it look very suspicious, and put together with Lerner’s refusal to testify, even more so.”

What are emails doing saved on an individual’s computer? This is not standard practice in the corporate world and certainly not with the IRS. Ask any IT novice and they can tell you that emails are stored on email servers which are distinct pieces of hardware, separate from an individual’s computer or laptop. These servers are then backed up on a regular basis (e.g. daily, weekly, monthly, quarterly and annually). Emails at most companies can be retrieved for as far back as 10 years or more and the government surely has standards to retain emails for a number of years. As Morrissey notes: “While people send and receive emails via client programs on their computers, the messages go through databases on servers, which is where records are stored and duplicated for backup. A local hard-drive failure would have nothing to do with that record retention in a professional IT environment. The data would still reside on the servers and could be easily reconstituted from the backup. In fact, IRS Commissioner John Koskinen testified in March that the data existed on the agency’s servers, and not the local hard drives.”

What is the IRS’s email retention policy? Congress should ask the IRS what its retention policy is, and why has it not been adhered to, assuming the IRS acts as other government and corporate entities do in regards to retention of emails. Many regulators require companies to maintain information for 7 years or more. Does the IRS adhere to government standards and requirements? As Morrissey notes, the federal government has strict expectations for publicly held corporations and under the Sarbanes-Oxley regulations, corporations are specifically required to retain email data for five years, and destroying emails like the ones claimed lost by the IRS would be a crime punishable by 20 years in prison. In addition, the IRS’s own manual made it clear that the storage of email was important enough to have permanent backups of their data. “IRS offices will not store the official recordkeeping copy of email messages that are federal records ONLY on the electronic mail system,” and even went so far as to require hard copies “for record-keeping purposes.” The manual reference is clear, per regulation 1.10.3.2.3 (07-08-2011), the Federal Records Act applies to email records just as it does to records you create using other media.

Does the IRS only keep emails for the past 6 months for all employees or only those whose emails have been requested by Congress? Again, if the IRS is only keeping 6 months of emails, then it is out of compliance with federal laws and its own policies.

Why does the IRS have retention standards that differ from taxpayers? As Morrissey notes, “the IRS is the one agency that demands everyone else keep spotless records for seven years or more on their returns. Now we find out that they’re only keeping their own documentation for six months? For a nation founded on the rule of law and equality under it, this retention for thee but not for we will likely offend a lot more people than extra scrutiny for conservative tax-exempt applicants did, and the lame dog ate my homework excuse will offend the rest.”

Does the IRS have a contingency plan to recover lost data? All corporations today have contingency plans in place in the case of lost data. Losing the head of the department’s emails would surely be an event that would ignite specific actions by IT personnel to recover the data. Were these procedures performed when the data was lost? If they were, and the data is still lost, what is wrong with the contingency plans and have these gaps been addressed? The National Institute of Standards and Technology (NIST) Computer Security Division Computer Security Resource Center site lists government publications related to computer security systems: One publication numbered 800-34 which is titled Contingency Planning Guide for Federal Information Systems.

According to this publication, Federal Information Processing Standards (FIPS) are developed by NIST in accordance with Federal Information Security Management Act (FISMA). FIPS are approved by the Secretary of Commerce and are compulsory and binding for federal agencies. Since FISMA requires that federal agencies comply with these standards, agencies may not waive their use. Congress needs to determine if the IRS complies with government regulations regarding contingency plans. If not, then the IRS is not in compliance with government regulations noted in publication 800-34. If the IRS does have a contingency plan, did the IRS adhere to the plan when the computers of employees whose emails have been requested by Congress crashed? If not, why not? If so, what failed?

Why did the most recent external auditor’s report of the financial processes and internal controls in place by the IRS not mention any IRS noncompliance with government regulations in regards to data retention or business continuity practices? The US Government’s General Accountability Office (GAO), in accordance with the authority granted by the Chief Financial Officers Act of 1990, annually audits IRS’s financial statements to determine whether (1) the financial statements are fairly presented and (2) whether IRS management maintained effective internal controls over financial reporting. The GAO also tests the IRS’s compliance with selected provisions of applicable laws, regulations, contracts, and grant agreements. The latest audit performed by the GAO for the fiscal years ending in 2012 and 2013 had no mention of the IRS being out of compliance with data retention or disaster recovery statutes. There was mention of material weaknesses in internal controls over unpaid tax assessments, but no mention of data retention or disaster recovery noncompliance

Have any internal audits or quality control reviews been conducted of the data security or contingency plans at the IRS, and if so, has there been any mention of the IRS’s noncompliance with government regulations in regards to retention or business continuity practices? Internal audit or quality control reviews performed by the IRS entity itself or by other regulatory bodies of processes related to retention or business continuity practices at the IRS could be damming to the current alibi of the IRS in regards to the lost emails. These reports may even discuss the policies in place at the IRS for these areas which might conflict with the current story.

Why are not more IRS personnel standing up? I’ve met good and sharp people who worked for the IRS when sitting for the CPA examination. It is puzzling why more of them are not standing up and choosing to share the truth about this historic scandal.